spn-reviewlisted

# SQL Server SPN and Kerberos Delegation Review Skill ## Purpose Analyze SQL Server SPN configuration and Active Directory delegation attributes to surface Kerberos authentication failures, NTLM fallback causes, and double-hop connectivity problems. Applies 40 checks (K1–K40) across seven categories: - **K1–K6** — MSSQLSvc SPN presence: default instance, named instance, FQDN variant, short-hostname variant, port mismatch, and FCI Virtual Network Name - **K7–K11** — Service account binding: SPN on wrong account, duplicate SPNs, machine account vs domain account, stale SPNs from old accounts, MSA/gMSA auto-registration gaps - **K12–K16** — AG listener and alias: listener SPN, named instance port conflict, SQL Browser, alias SPN, multi-subnet listener coverage - **K17–K20** — Configuration and permissions: HTTP SPN, registration permission gap, unconstrained delegation, NTLM fallback signal - **K21–K25** — Kerberos delegation — service account: constrained delegation (KCD) not configured, missing target SPN, protocol transition, RBCD misconfiguration, delegation scope - **K26–K30** — AD account and computer sensitivity: AccountNotDelegated on end-user, Protected Users membership on end-user, computer account SPN conflict, computer account unconstrained delegation, service account in Protected Users - **K31–K40** — Azure AD / hybrid and advanced scenarios: Entra ID hybrid SPN gap, Entra-only auth with orphaned AD SPN, Azure SQL MI on-premises SPN, gMSA rollover